1SSL_CTX_set_cert_cb(3) OpenSSL SSL_CTX_set_cert_cb(3)
2
3
4
6 SSL_CTX_set_cert_cb, SSL_set_cert_cb - handle certificate callback
7 function
8
10 #include <openssl/ssl.h>
11
12 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg);
13 void SSL_set_cert_cb(SSL *s, int (*cert_cb)(SSL *ssl, void *arg), void *arg);
14
15 int (*cert_cb)(SSL *ssl, void *arg);
16
18 SSL_CTX_set_cert_cb() and SSL_set_cert_cb() sets the cert_cb()
19 callback, arg value is pointer which is passed to the application
20 callback.
21
22 When cert_cb() is NULL, no callback function is used.
23
24 cert_cb() is the application defined callback. It is called before a
25 certificate will be used by a client or server. The callback can then
26 inspect the passed ssl structure and set or clear any appropriate
27 certificates. If the callback is successful it MUST return 1 even if no
28 certificates have been set. A zero is returned on error which will
29 abort the handshake with a fatal internal error alert. A negative
30 return value will suspend the handshake and the handshake function will
31 return immediately. SSL_get_error(3) will return
32 SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was
33 suspended. The next call to the handshake function will again lead to
34 the call of cert_cb(). It is the job of the cert_cb() to store
35 information about the state of the last call, if required to continue.
36
38 An application will typically call SSL_use_certificate() and
39 SSL_use_PrivateKey() to set the end entity certificate and private key.
40 It can add intermediate and optionally the root CA certificates using
41 SSL_add1_chain_cert().
42
43 It might also call SSL_certs_clear() to delete any certificates
44 associated with the SSL object.
45
46 The certificate callback functionality supercedes the (largely broken)
47 functionality provided by the old client certificate callback
48 interface. It is always called even is a certificate is already set so
49 the callback can modify or delete the existing certificate.
50
51 A more advanced callback might examine the handshake parameters and set
52 whatever chain is appropriate. For example a legacy client supporting
53 only TLS v1.0 might receive a certificate chain signed using SHA1
54 whereas a TLS v1.2 client which advertises support for SHA256 could
55 receive a chain using SHA256.
56
57 Normal server sanity checks are performed on any certificates set by
58 the callback. So if an EC chain is set for a curve the client does not
59 support it will not be used.
60
62 ssl(3), SSL_use_certificate(3), SSL_add1_chain_cert(3),
63 SSL_get_client_CA_list(3), SSL_clear(3), SSL_free(3)
64
65
66
671.0.2k 2017-01-26 SSL_CTX_set_cert_cb(3)